From cam at mathematica.scientia.net Tue Nov 1 00:51:58 2005 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Tue Nov 1 00:51:47 2005 Subject: GnuPG key capabilities In-Reply-To: <20051028191129.GA27024@jabberwocky.com> References: <000501c5dbf2$aaa78100$d81387d8@net> <20051028191129.GA27024@jabberwocky.com> Message-ID: <4366AE1E.6030701@mathematica.scientia.net> David Shaw wrote: >On Fri, Oct 28, 2005 at 02:06:09PM -0500, Joe Vender wrote: > > >>Is it possible, in GnuPG, to change the key and subkey capabilities after >>the keys are generated? If so, how? >> >> >Theoretically possible, but not currently possible in GnuPG. > > Eh? What do you mean by capabilities? I thought things like the algorithm preferences and features like [mdc] could be changed even without loosing signatures from other peoples. Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: cam.vcf Type: text/x-vcard Size: 449 bytes Desc: not available Url : /pipermail/attachments/20051101/a10a03ce/cam.vcf From jvender at owensboro.net Tue Nov 1 01:47:18 2005 From: jvender at owensboro.net (Joe Vender) Date: Tue Nov 1 01:49:14 2005 Subject: GnuPG key capabilities References: <000501c5dbf2$aaa78100$d81387d8@net><20051028191129.GA27024@jabberwocky.com> <4366AE1E.6030701@mathematica.scientia.net> Message-ID: <001701c5de7d$d2c2fec0$371387d8@net> A specific key's capabilitie(s) are the defined purpose(s) or usage of the particular key. For example, when you generate a key, you are asked what the key should be used for (encrypt only, sign only, encrypt & sign, authentication, certification). These are the possible key capabilities, and when chosen at key generation time, become the key's capabilitie(s). The key's capabilities are displayed after "usage:" when you do an gpg --edit-key. . ----- Original Message ----- From: "Christoph Anton Mitterer" To: "David Shaw" Cc: Sent: Monday, October 31, 2005 5:51 PM Subject: Re: GnuPG key capabilities > David Shaw wrote: > > >On Fri, Oct 28, 2005 at 02:06:09PM -0500, Joe Vender wrote: > > > > > >>Is it possible, in GnuPG, to change the key and subkey capabilities after > >>the keys are generated? If so, how? > >> > >> > >Theoretically possible, but not currently possible in GnuPG. > > > > > Eh? > What do you mean by capabilities? I thought things like the algorithm > preferences and features like [mdc] could be changed even without > loosing signatures from other peoples. > > Chris. > -------------------------------------------------------------------------- ------ > _______________________________________________ > Gnupg-devel mailing list > Gnupg-devel@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel > From cam at mathematica.scientia.net Tue Nov 1 01:50:49 2005 From: cam at mathematica.scientia.net (Christoph Anton Mitterer) Date: Tue Nov 1 01:50:37 2005 Subject: GnuPG key capabilities In-Reply-To: <001701c5de7d$d2c2fec0$371387d8@net> References: <000501c5dbf2$aaa78100$d81387d8@net><20051028191129.GA27024@jabberwocky.com> <4366AE1E.6030701@mathematica.scientia.net> <001701c5de7d$d2c2fec0$371387d8@net> Message-ID: <4366BBE9.1020608@mathematica.scientia.net> Joe Vender wrote: >A specific key's capabilitie(s) are the defined purpose(s) or usage of the >particular key. For example, when you generate a key, you are asked what >the key should be used for (encrypt only, sign only, encrypt & sign, >authentication, certification). These are the possible key capabilities, >and when chosen at key generation time, become the key's capabilitie(s). >The key's capabilities are displayed after "usage:" when you do an >gpg --edit-key. > Ah,.. thanks :-) Ok,.. encrypt/sign is clear,... but what can I do with authentication an certification? Best wishes, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: cam.vcf Type: text/x-vcard Size: 449 bytes Desc: not available Url : /pipermail/attachments/20051101/cdc8b3bd/cam.vcf From jvender at owensboro.net Tue Nov 1 03:15:15 2005 From: jvender at owensboro.net (Joe Vender) Date: Tue Nov 1 03:16:58 2005 Subject: GnuPG key capabilities References: <000501c5dbf2$aaa78100$d81387d8@net><20051028191129.GA27024@jabberwocky.com> <4366AE1E.6030701@mathematica.scientia.net> <001701c5de7d$d2c2fec0$371387d8@net> <4366BBE9.1020608@mathematica.scientia.net> Message-ID: <000901c5de8a$1b961180$261d87d8@net> > >A specific key's capabilitie(s) are the defined purpose(s) or usage of the > >particular key. For example, when you generate a key, you are asked what > >the key should be used for (encrypt only, sign only, encrypt & sign, > >authentication, certification). These are the possible key capabilities, > >and when chosen at key generation time, become the key's capabilitie(s). > >The key's capabilities are displayed after "usage:" when you do an > >gpg --edit-key. > > > Ah,.. thanks :-) > > Ok,.. encrypt/sign is clear,... but what can I do with authentication an > certification? See: http://lists.gnupg.org/pipermail/gnupg-users/2005-April/025390.html From ssrini at linuxmail.org Wed Nov 2 13:39:10 2005 From: ssrini at linuxmail.org (Srinivasan S) Date: Wed Nov 2 13:39:27 2005 Subject: libgpgerror cross compilation Message-ID: <20051102123910.BF3D5CA0A3@ws5-11.us4.outblaze.com> Hi Werner, Marcus Apologies for double posting already .. I just noticed that I do not have a locale directory .. Infact the /root/w32root directory itself is not present. Where/How do I get this ? Thanks & Regards Srini ----- Original Message ----- From: "Srinivasan S" To: gnupg-devel@gnupg.org Subject: libgpgerror cross compilation Date: Wed, 02 Nov 2005 20:20:59 +0800 > > Hi Werner, Marcus > > Iam back with cross compilation questions :-) Based on your > suggestions I have setup a Debian box and apt-get the MingW package > etc. To test it I go the svn trunk versions of gnupg and did a > compile, no problems. > > I tried to build libgpgerror and am getting compilation errors > (compilation for linux is perfect). Attached the config.log and > the errors I got. Your help in this is appreciated. > > Note: My objective is to get libgpgme compiled and built as a dll, > and I need libgpgerror for that right ? > > Regards > Srini > > > -- > _______________________________________________ > Check out the latest SMS services @ http://www.linuxmail.org > This allows you to send and receive SMS through your mailbox. > > Powered by Outblaze << config.log >> -- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze From wk at gnupg.org Wed Nov 2 13:50:03 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 2 13:51:49 2005 Subject: libgpgerror cross compilation In-Reply-To: <20051102122059.1DC1423D02@ws5-3.us4.outblaze.com> (Srinivasan S.'s message of "Wed, 02 Nov 2005 20:20:59 +0800") References: <20051102122059.1DC1423D02@ws5-3.us4.outblaze.com> Message-ID: <87d5ljmcxw.fsf@wheatstone.g10code.de> On Wed, 02 Nov 2005 20:20:59 +0800, Srinivasan S said: > Note: My objective is to get libgpgme compiled and built as a dll, and I need libgpgerror for that right ? Right. Of you have problems with the DLL please update your CVS, I have just fixed some minor things in case libintl was not found. Salam-Shalom, Werner From wk at gnupg.org Wed Nov 2 13:52:08 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 2 13:56:48 2005 Subject: libgpgerror cross compilation In-Reply-To: <20051102123910.BF3D5CA0A3@ws5-11.us4.outblaze.com> (Srinivasan S.'s message of "Wed, 02 Nov 2005 20:39:10 +0800") References: <20051102123910.BF3D5CA0A3@ws5-11.us4.outblaze.com> Message-ID: <878xw7mcuf.fsf@wheatstone.g10code.de> On Wed, 02 Nov 2005 20:39:10 +0800, Srinivasan S said: > I just noticed that I do not have a locale directory .. Infact the /root/w32root directory itself is not present. Where/How do I get this ? First of all: Do not build software under the root account! You must create the root directory: $ mkdir ~/w32root or use $ w32root=/path/to/existing/w32root/directory $ export w32root Shalom-Salam, Werner From ssrini at linuxmail.org Wed Nov 2 14:13:20 2005 From: ssrini at linuxmail.org (Srinivasan S) Date: Wed Nov 2 14:13:37 2005 Subject: libgpgerror cross compilation Message-ID: <20051102131320.78C894383F@ws5-1.us4.outblaze.com> Hi Werner Thanks for the hint on cvs ..it worked. The root was an error (I had doen a su - to set something else right and created the makefile) . I compile under my login (as can be seen from the files) Anyway you are a saviour .. Thanks a million Regards Srini ----- Original Message ----- From: "Werner Koch" To: "Srinivasan S" Subject: Re: libgpgerror cross compilation Date: Wed, 02 Nov 2005 13:52:08 +0100 > > On Wed, 02 Nov 2005 20:39:10 +0800, Srinivasan S said: > > > I just noticed that I do not have a locale directory .. Infact > > the /root/w32root directory itself is not present. Where/How do > > I get this ? > > First of all: Do not build software under the root account! > > You must create the root directory: > > $ mkdir ~/w32root > > or use > > $ w32root=/path/to/existing/w32root/directory > $ export w32root > > > Shalom-Salam, > > Werner -- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze From dshaw at jabberwocky.com Wed Nov 2 17:28:26 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Nov 2 17:28:46 2005 Subject: Code for 'clean total' In-Reply-To: <4365E0B2.13111.CC8255F@localhost> References: <43656BD6.12658.AFFA8E6@localhost> <4365E0B2.13111.CC8255F@localhost> Message-ID: <20051102162826.GA22620@jabberwocky.com> On Mon, Oct 31, 2005 at 09:15:30AM +0100, Dirk Traulsen wrote: > Am 30 Oct 2005 um 23:06 hat David Shaw geschrieben: > > > I have no problem with the function concept. > > I'm delighted to hear that. Here's what I did - rather than add yet another option (which impacts all of keyserver use, import, exports, and --edit-key), I just changed clean sigs to remove sigs from unavailable keys. It just seems like the simplest solution all round. David From jvender at owensboro.net Thu Nov 3 02:17:09 2005 From: jvender at owensboro.net (Joe Vender) Date: Thu Nov 3 02:18:59 2005 Subject: GnuPG 1.4.3-cvs make warnings on MingW/MSYS Message-ID: <000501c5e014$5285df00$cd1487d8@net> Hi, When building GnuPG 1.4.3-cvs native windows binaries on MinGW/MSYS, I get the following make warnings: secmem.c: In function `init_pool': secmem.c:223: warning: implicit declaration of function `getpagesize' iobuf.c: In function `iobuf_get_fd': iobuf.c:1930: warning: return makes integer from pointer without a cast gpgkeys_hkp.c: In function `search_key': gpgkeys_hkp.c:301: warning: passing arg 1 of `curl_escape' discards qualifiers from pointer target type The configure line is: $CFLAGS='-O3 -mtune=i386 -march=i386 -mfpmath=387 -mno-mmx -mno-sse -mno-3 dnow -mno-sse2'./configure --with-included-regex --with-included-gettext - -with-gnu-ld --prefix="/home/gpg-inst" LDFLAGS='-static' Regards, Joe Vender From dshaw at jabberwocky.com Thu Nov 3 05:16:02 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Nov 3 05:16:27 2005 Subject: GnuPG 1.4.3-cvs make warnings on MingW/MSYS In-Reply-To: <000501c5e014$5285df00$cd1487d8@net> References: <000501c5e014$5285df00$cd1487d8@net> Message-ID: <20051103041602.GA23173@jabberwocky.com> On Wed, Nov 02, 2005 at 07:17:09PM -0600, Joe Vender wrote: > Hi, > > When building GnuPG 1.4.3-cvs native windows binaries on MinGW/MSYS, I get > the following make warnings: > > secmem.c: In function `init_pool': > secmem.c:223: warning: implicit declaration of function `getpagesize' > gpgkeys_hkp.c: In function `search_key': > gpgkeys_hkp.c:301: warning: passing arg 1 of `curl_escape' discards > qualifiers from pointer target type I believe I've fixed these two. Can you double check it on your MinGW setup? David From jvender at owensboro.net Thu Nov 3 07:23:05 2005 From: jvender at owensboro.net (Joe Vender) Date: Thu Nov 3 07:24:49 2005 Subject: GnuPG 1.4.3-cvs make warnings on MingW/MSYS References: <000501c5e014$5285df00$cd1487d8@net> <20051103041602.GA23173@jabberwocky.com> Message-ID: <000801c5e03f$10199280$aa1c87d8@net> > > When building GnuPG 1.4.3-cvs native windows binaries on MinGW/MSYS, I get > > the following make warnings: > > > > secmem.c: In function `init_pool': > > secmem.c:223: warning: implicit declaration of function `getpagesize' > > > gpgkeys_hkp.c: In function `search_key': > > gpgkeys_hkp.c:301: warning: passing arg 1 of `curl_escape' discards > > qualifiers from pointer target type > > I believe I've fixed these two. Can you double check it on your MinGW > setup? Wow, that was fast! Thanks David. I've just finished doing a make with the new code. These two warning messages no longer appear during make. Now, the only warning message I'm getting is the other one I mentioned: iobuf.c: In function `iobuf_get_fd': iobuf.c:1930: warning: return makes integer from pointer without a cast Regards, Joe Vender From dirk.traulsen at lypso.de Thu Nov 3 19:52:10 2005 From: dirk.traulsen at lypso.de (Dirk Traulsen) Date: Thu Nov 3 20:13:10 2005 Subject: Code for 'clean total' In-Reply-To: <20051102162826.GA22620@jabberwocky.com> References: <4365E0B2.13111.CC8255F@localhost> Message-ID: <436A6A6A.27578.1E821AA8@localhost> Am 2 Nov 2005 um 11:28 hat David Shaw geschrieben: > On Mon, Oct 31, 2005 at 09:15:30AM +0100, Dirk Traulsen wrote: > > Am 30 Oct 2005 um 23:06 hat David Shaw geschrieben: > > > > > I have no problem with the function concept. > > > > I'm delighted to hear that. > > Here's what I did - rather than add yet another option (which impacts > all of keyserver use, import, exports, and --edit-key), I just changed > clean sigs to remove sigs from unavailable keys. It just seems like > the simplest solution all round. The ideal solution in my opinion. Next time I will ask before I try to implement something myself and send you the code. Dirk From dirk.traulsen at lypso.de Sat Nov 5 23:12:21 2005 From: dirk.traulsen at lypso.de (Dirk Traulsen) Date: Sat Nov 5 23:11:21 2005 Subject: bug in option 'ask-sig-expire' Message-ID: <436D3C55.7000.298619B9@localhost> Hi! It seems like I could have found a bug: In gpg 1.4.2 the option '--ask-sig-expire' does not work. If you type 'gpg --ask-sig-expire -s Filename', you will not be asked for the duration of the signature, like you will be, if you type 'gpg --ask-cert-expire --sign-key UID'. It does not work, if you put it in the options file either. Dirk From dshaw at jabberwocky.com Sat Nov 5 23:19:54 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Nov 5 23:25:52 2005 Subject: bug in option 'ask-sig-expire' In-Reply-To: <436D3C55.7000.298619B9@localhost> References: <436D3C55.7000.298619B9@localhost> Message-ID: <20051105221954.GA6267@jabberwocky.com> On Sat, Nov 05, 2005 at 11:12:21PM +0100, Dirk Traulsen wrote: > Hi! > > It seems like I could have found a bug: > > In gpg 1.4.2 the option '--ask-sig-expire' does not work. > > If you type 'gpg --ask-sig-expire -s Filename', > you will not be asked for the duration of the signature, like you > will be, if you type 'gpg --ask-cert-expire --sign-key UID'. > It does not work, if you put it in the options file either. What happens when you do "gpg --ask-sig-expire --no-force-v3-sigs -s Filename" ? David From dirk.traulsen at lypso.de Sun Nov 6 09:40:38 2005 From: dirk.traulsen at lypso.de (Dirk Traulsen) Date: Sun Nov 6 09:39:37 2005 Subject: bug in option 'ask-sig-expire' In-Reply-To: <20051105221954.GA6267@jabberwocky.com> References: <436D3C55.7000.298619B9@localhost> Message-ID: <436DCF96.6018.2BC54F34@localhost> Am 5 Nov 2005 um 17:19 hat David Shaw geschrieben: > What happens when you do "gpg --ask-sig-expire --no-force-v3-sigs -s > Filename" ? Then I get asked for the expiration interval. Is '--force-v3-sigs' a default option? I don't have it in my options file. Oh, and as I forgot to give the informations last time, the behaviour is the same on SuSE Linux 10.0, WinXP and Win95 with the german version of gpg 1.4.2. Dirk From dshaw at jabberwocky.com Sun Nov 6 14:53:03 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Nov 6 14:53:27 2005 Subject: bug in option 'ask-sig-expire' In-Reply-To: <436DCF96.6018.2BC54F34@localhost> References: <436D3C55.7000.298619B9@localhost> <436DCF96.6018.2BC54F34@localhost> Message-ID: <20051106135303.GB6267@jabberwocky.com> On Sun, Nov 06, 2005 at 09:40:38AM +0100, Dirk Traulsen wrote: > Am 5 Nov 2005 um 17:19 hat David Shaw geschrieben: > > What happens when you do "gpg --ask-sig-expire --no-force-v3-sigs -s > > Filename" ? > > Then I get asked for the expiration interval. > Is '--force-v3-sigs' a default option? I don't have it in my options > file. Yes, it's the default. Up until fairly recently, PGP couldn't handle a v4 signature on data (it only handled v4 signatures on keys). I'll add a note in the docs about it. David From kazabe at gmail.com Wed Nov 9 13:09:31 2005 From: kazabe at gmail.com (kazabe) Date: Wed Nov 9 14:55:56 2005 Subject: What i need to use my usb-tokens with gnupg? Message-ID: Hi I need use my usb-tokens with gnupg, but simply dont work. All to i found is related with smart card readers, and another usb tokens (aladdin by example). This tokens are developed by Kalyisis, but they (apparently) only give support for windows (and rsa or pgp). This is the technical information about my devices: . ************************************************************************************* MEI1000 Generation of the double factor of authentication Hmac-md5 change-answer in the device. * Middleware with support PKCS#11 and MS CAPTAIN * Electronic storage of manifold Certified X.509 v3 * Generation of random numbers in hardware * Compatible Driver PC/SC, signed by Microsoft * Unique serial number of 64-bits * Certificate of conformance EC and FCC * Application controlled with light LED * Based access navigator Web to MEI1000 through ActiveX controls and applet of Java * Three levels of security to accede to the archives and administrative rights. * Estrutura of directory of archives of two levels * Standard interface USB MEI2000 Cryptographic smart card integrated StarCOS SPK 2,3 of G&D * Generation of the pair of keys RSA 1024-bit in the device, the private key cannot be exported * Support integrated for RSA, DES, 3DES, Sha-1, MD5 and other algorithms of security and coding * Middleware with support PKCS#11 and MS CAPTAIN * Electronic storage of manifold Certified X.509 v3 * Generation of random numbers in hardware * Compatible Driver PC/SC, signed by Microsoft * Powerful connectivity Plug & Play for applications of PKI * Digital company/signature from hardware * Support for warehouse of multiple keys * Support for multiple applications PKI and smart cards * Certificate of conformance EC and FCC * Standard interface USB * Card Operating System *************************************************************************************** So, its possible use thats devices with gnupg? can you provide me some links or papers (or anything) to use my devices with gpg? Best regards. -- "Imagination is more important than knowlege" A.E. From zvrba at globalnet.hr Wed Nov 9 15:27:05 2005 From: zvrba at globalnet.hr (zvrba@globalnet.hr) Date: Wed Nov 9 16:55:42 2005 Subject: What i need to use my usb-tokens with gnupg? In-Reply-To: References: Message-ID: <20051109142658.GA5493@zax.ifi.uio.no> On Wed, Nov 09, 2005 at 07:09:31AM -0500, kazabe wrote: > > * Middleware with support PKCS#11 and MS CAPTAIN > GnuPG does not, and according to Werner, will not support PKCS#11. Also, it seems that your devices don't support PKCS#15. So I'd say - forget it. You might try to play around with OpenSC, but you might destroy your device doing so (i.e. giving incorrect transport key several times..). I recommend against it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20051109/e8f238b3/attachment.pgp From wk at gnupg.org Wed Nov 9 20:56:02 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 10 09:19:17 2005 Subject: What i need to use my usb-tokens with gnupg? In-Reply-To: <20051109142658.GA5493@zax.ifi.uio.no> (zvrba@globalnet.hr's message of "Wed, 9 Nov 2005 15:27:05 +0100") References: <20051109142658.GA5493@zax.ifi.uio.no> Message-ID: <877jbhegtp.fsf@wheatstone.g10code.de> On Wed, 9 Nov 2005 15:27:05 +0100, zvrba said: > it seems that your devices don't support PKCS#15. So I'd say - forget it. Not really. Although gpg does not make use of cards other than those of the OpenPGP card specs, its cousin gpgsm can make use of several cards. It is actually not the type of the card but the application available on the card, pkcs#15 is such an application, OpenPGP is one, DINSIG is one, NKS is the one used by Telesec. It is pretty easy to add a new application. The hard part is to get the specs from the card application vendor. Aside of gpgsm, you may also use gpg-agent to support ssh with cards. It is pretty straightforward to implement this if you have basic support for your cards application. See app-p15.c (and there look for subtype BELPIC) and app-openpgp.c to see what is needed. If you have problems, just ask here. Salam-Shalom, Werner From acarrico at memebeam.org Fri Nov 18 17:17:42 2005 From: acarrico at memebeam.org (Anthony Carrico) Date: Fri Nov 18 18:25:58 2005 Subject: PR297, NODATA status Message-ID: <20051118161742.GA5571@memebeam.org> Problem Report 297 is listed as closed. The bug report doesn't seem to indicate how the problem was resolved. Does GnuPG now refrain from emitting NODATA for auto key retrieval failure? -- Anthony Carrico http://giftfile.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20051118/d47a17b8/attachment.pgp From jmm at inutil.org Mon Nov 21 12:54:54 2005 From: jmm at inutil.org (Moritz Muehlenhoff) Date: Mon Nov 21 14:37:56 2005 Subject: AES sidechannel attack by Osvik/Shamir/Tromer Message-ID: <20051121115454.GA10206@informatik.uni-bremen.de> Hi, there's a paper by Osvik, Shamir and Tromer that discusses local side channel attacks on cache access times of AES tables: http://www.wisdom.weizmann.ac.il/~tromer/papers/cache.pdf Can you please comment to which extent gnupg's AES implementation is affected? If so, are you planning to implement some of the mitigation measures described in chapter 5? Cheers, Moritz -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20051121/213a7952/attachment.pgp From wk at gnupg.org Mon Nov 21 18:54:41 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 21 18:57:02 2005 Subject: AES sidechannel attack by Osvik/Shamir/Tromer In-Reply-To: <20051121115454.GA10206@informatik.uni-bremen.de> (Moritz Muehlenhoff's message of "Mon, 21 Nov 2005 12:54:54 +0100") References: <20051121115454.GA10206@informatik.uni-bremen.de> Message-ID: <878xvhyjha.fsf@wheatstone.g10code.de> On Mon, 21 Nov 2005 12:54:54 +0100, Moritz Muehlenhoff said: > there's a paper by Osvik, Shamir and Tromer that discusses local > side channel attacks on cache access times of AES tables: > http://www.wisdom.weizmann.ac.il/~tromer/papers/cache.pdf Not sure whether I read that paper, but these attacks on AES are based on the assumption that there exists an oracle with a huge bandwidth. Anyone implementing a cryptographic application and allowing for an oracle is plain stupid. Regarding local attacks: Using private keys on a multi-user machine is not a good idea at all. Root will be able to compromise any key (not just AES session keys but all public key operations) and further, there are far too many local system exploits that it is definitely easier to gain root than to mount complicated timing atatcks. Salam-Shalom, Werner From wk at gnupg.org Mon Nov 21 18:56:40 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 21 19:01:58 2005 Subject: PR297, NODATA status In-Reply-To: <20051118161742.GA5571@memebeam.org> (Anthony Carrico's message of "Fri, 18 Nov 2005 11:17:42 -0500") References: <20051118161742.GA5571@memebeam.org> Message-ID: <874q65yjdz.fsf@wheatstone.g10code.de> On Fri, 18 Nov 2005 11:17:42 -0500, Anthony Carrico said: > Problem Report 297 is listed as closed. The bug report doesn't seem to > indicate how the problem was resolved. Does GnuPG now refrain from > emitting NODATA for auto key retrieval failure? From bogus@does.not.exist.com Thu Nov 10 09:51:52 2005 From: bogus@does.not.exist.com () Date: Mon Nov 21 19:01:58 2005 Subject: No subject Message-ID: recursions to key lookup and avoid issuing errors then. Shalom-Salam, Werner From ddcc at email.com Tue Nov 29 09:56:18 2005 From: ddcc at email.com (ddcc@email.com) Date: Tue Nov 29 11:57:35 2005 Subject: Bug report: "Ohhhh jeeee" error when GnuPG 1.4.1 installed suid with caps enabled In-Reply-To: <20050318204803.6e3d08b8@TANG-ONE-FIFTY-NINE.MIT.EDU> References: <20050318204803.6e3d08b8@TANG-ONE-FIFTY-NINE.MIT.EDU> Message-ID: <20051129035618.4a2d5a9f@TANG-FOUR-EIGHTY-ONE.MIT.EDU> Hi, I pointed out this problem in March, but it's still present in 1.4.2, so I'm bumping this thread, and pointing you guys to a patch at . In summary, the problem is that if GnuPG is built with capabilities enabled *AND* the binary is setuid, we get the "Ohhhh jeeee" panic because gnupg drops capabilities but doesn't drop root, so the getuid()!=geteuid() test fails. The patch makes sure it drops root even if capabilities are enabled. (It also cleans up a capabilities context leak.) Original bug report with full details: . --David From rdieter at math.unl.edu Wed Nov 30 18:51:48 2005 From: rdieter at math.unl.edu (Rex Dieter) Date: Wed Nov 30 22:26:46 2005 Subject: libksba > 0.9.11 + gnupg-1.9.19 'make check' failures on x86_64 Message-ID: I've been trying to build gnupg-1.9.19 on Fedora Core 3/4 x86_64, but 'make check' always fails (because gpgsm segfaults)... relavent section of the build.log appended below. i386 and ppc builds and checks fine. On x86_64, gnupg-1.9.19 hacked to build against libksba-0.9.11 builds and checks fine too. Full build.log available at: http://buildsys.fedoraproject.org/logs/fedora-development-extras/1443-gnupg2-1.9.19-3.fc5/x86_64/ make[1]: Entering directory `/builddir/build/BUILD/gnupg-1.9.19/tests' make check-TESTS make[2]: Entering directory `/builddir/build/BUILD/gnupg-1.9.19/tests' gpgsm: WARNING: running with faked system time: 2002-12-02 13:29:59 read_assuan: read "OK GNU Privacy Guard's S/M server 1.9.19 ready" read_assuan: read " " sending `INPUT FD=9' expecting OK read_assuan: read "OK" read_assuan: read " " sending `OUTPUT FD=10' expecting OK read_assuan: read "OK" read_assuan: read " " sending `SIGN' expecting OK gpgsm: can't connect to `/builddir/build/BUILD/gnupg-1.9.19/tests/S.gpg-agent': No such file or directory gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: DBG: adding certificates at level 1 gpgsm: signature created read_assuan: read "S PROGRESS starting_agent ? 0 0" read_assuan: read " " read_assuan: read "S SIG_CREATED S 1 2 00 20021202T132959 3CF405464F66ED4A7DF45BBDD1E4282E33BDB76E " read_assuan: read "OK" read_assuan: read " " sending `RESET' expecting OK read_assuan: read "OK" read_assuan: read " " sending `INPUT FD=11' expecting OK read_assuan: read "OK" read_assuan: read " " sending `OUTPUT FD=12' expecting OK read_assuan: read "OK" read_assuan: read " " sending `VERIFY' expecting OK gpgsm: signal Segmentation fault caught ... exiting read_assuan: read "" asschk: read_assuan: received incomplete line on fd 13 FAIL: sm-sign+verify From bogus@does.not.exist.com Thu Nov 10 09:51:52 2005 From: bogus@does.not.exist.com () Date: Thu Apr 13 11:34:11 2006 Subject: No subject Message-ID: tes. Are there any plans to incorporate it into gpg? If so, why not? ;-) -- "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wrig= ht Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From bogus@does.not.exist.com Thu Nov 10 09:51:52 2005 From: bogus@does.not.exist.com () Date: Thu Apr 13 18:26:16 2006 Subject: No subject Message-ID: the option of a block cipher that uses different non-linear substitutions in different rounds. However, it would seem that key-dependent and/or data-dependent non-linear substitutions are more resistant to attack than Serpent's static set of s-boxes used with a static schedule. -Karl From bogus@does.not.exist.com Thu Nov 10 09:51:52 2005 From: bogus@does.not.exist.com () Date: Fri Jun 2 14:46:30 2006 Subject: No subject Message-ID: problem does not affect cleartext signatures. Am I correct, or is this a misinterpretation? The announcement sounds like gpg would still correctly verify (only) data covered by the signature, but then output data which is not covered by the signature. So it would still be safe to assume that anything between -----BEGIN PGP SIGNED MESSAGE----- and the following -----BEGIN PGP SIGNATURE----- is correctly validated(?). regards, rainer From bogus@does.not.exist.com Thu Nov 10 09:51:52 2005 From: bogus@does.not.exist.com () Date: Tue Jun 27 00:18:49 2006 Subject: No subject Message-ID: Note that you can append an exclamation mark (!) to key IDs or fingerprints. This flag tells GnuPG to use the specified primary or secondary key and not to try and calculate which primary or secondary key to use. David